You Might Be Unintentionally Disclosing HIPAA Sensitive Patient Information


  • Share on Google+

Being associated with healthcare, it becomes significant for you to keep all your systems, medical software solutions, and applications in compliance with HIPAA standards because these all solutions deal with confidential medical data of the patients.

It is good to take the help of one of the best healthcare software companies in order to ensure that all your clinical solutions and apps are secure. You probably spend a lot of time to make sure that all your computers are safe and the sensitive health-related information of patients is out of the public eye.

Even if you take all the necessary measures to protect the PHI against hackers, there are several ways in which you might be disclosing this Personal Health Information (PHI). Let’s explore the top six of these ways.

1. Responding To Reviews On Websites Or Listings

Your healthcare organization must be having listings on various platforms such as Google, Facebook, Yelp, or physician review websites. These platforms allow people to post their reviews and comments about your clinical services. Many reviews might be negative and contain defamatory information.

When responding to one of these negative reviews, you will be mentioning that the particular individual was your patient. Also, it is not necessary that you disclose any other details about that person or his medical history. For instance, there was a case in the year 2013 against Shasta Regional Medical Center. They were accused to reveal patient information in response to a poor newspaper article. They have to pay a penalty of $275,000.

You can avoid such a situation by simply ignoring the negative reviews. You can provide only simple responses that include general information about your practice’s care guidelines without divulging any information about the patient. Also, you can contact the person directly and address his problems personally.

2. Unintended Attachments In Emails

Your health care organization might follow the practice to communicate with patients via emails. However, you might be revealing sensitive patient information by doing this if you are not careful.

According to HIPAA guidelines, the emails to the patients must be encrypted more than the TSL or SSL encryption used by most of the email services. But it’s quite possible that my mistake you send one patient’s information to another patient. For example, in the year 2015, it happened with Massachusetts General Hospital. They had sent an email containing the PHI of 648 patients to the wrong email address accidentally.

You can avoid it by hiring a specialized encryption service that can be used to separates encrypted attachments from the rest of the email and demands personal verification before opening the email. Also, you can train your employees to be careful with messages and attachments containing PHI.

3. Hidden Or Missing Meta Information In Special File Formats

You need to be extra careful with special file formats such as JPEG and other image files. Also, you need to pay attention to Microsoft Office documents and videos because all these files are often tagged with relevant PHI.

While sending one of these files to a coworker, you may be unintentionally passing PHI that you are not even aware was a part of the file. This metadata can contain personal details of the patients, such as names, email addresses, hidden text, comments and more.

You can avoid this by making your employees aware of the metadata hidden in different types of files. You can make them learn how to scrub files of metadata before sharing. Also, you can train them to use a metadata tool to automate the scrubbing process for transferring large files.

4. Devices Getting Synced Automatically To Apps & Clouds

If the staff members of your medical organization use mobile phones that sync PHI to the cloud or to another source, you have to be very cautious that the right agreements are in place.

When you use tools such as iCloud or Dropbox without getting a Business Associate Agreement (BAA) signed, the PHI of your patients is not safe. These agreements make sure that the contracted business is properly following all the HIPAA guidelines. For example, North Memorial Health Care was fined $1.55 million in the year 2011 because they were not having an appropriate BAA in place.

You can easily avoid this by signing a BAA with every secondary business with who you exchange or share PHI. Also, you can ensure that only the appropriate employees are able to access PHI by monitoring the access to cloud or app.

5. Posting On Social Media Platforms At Your Workplace

Your clinical organization might have its own page on social media sites such as Facebook where you post regularly in order to stay current. But you might get into trouble when your organization’s public page or when employees use their personal pages to post about work.

HIPAA violations happen when PHI is posted on social media. This could include anything such as pictures of the desks, of the workplace or of the patients. People could be recognized from these images and paperwork could reveal PHI. Also, the comments on social media posts reveal PHI. For instance, in the year 2017, a medical employee was fired because he posted a comment on Facebook about a patient who died in an automobile crash.

You can avoid such a situation by making that rule that there will be no social media posting for your organization. Also, you can educate the employees on how to do social media posting safely.

6. Looking For A Second Opinion From Peers

When you find a daunting medical case, you want to get suggestions from your colleagues. While you are only trying to help the patient, there is a risk that you might be violating HIPAA guidelines.

The colleague does not have a right to access the PHI if he is not officially associated with the patient’s case. Also, you might violate HIPAA guidelines, while showing the results of medical tests that contain PHI to your colleagues.

You can avoid this by following the correct practices for getting additional practitioners on the case or for requesting a second opinion. In addition, you should always discuss patient information with your colleagues in private areas. Also, make a habit of not disclosing the information that could be traced back to the specific patient.

Keeping the confidential health-related data of the patients safe should be the sole motive of your medical organization. Not only it will add value to your company, but it’s also essential as per the Health Insurance Portability and Accountability Act (HIPAA). So if you want to protect yourself from paying heavy penalties then make sure to check your company or organization for these six unexpected errors, and keep PHI secure.

Subscribe to HealthTechAdvisor

Subscribe to our email newsletter to receive article notifications and regular updates. We don't spam and your email won't be shared with third-parties.

We will only send weekly email and wont share your email address.